coolaj86
/
oauth3.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bugfixes from file renames

This commit is contained in:
AJ ONeal 2017-02-21 16:54:37 -07:00
parent 0b93cdc2fa
commit 6a56024c74
4 changed files with 125 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
oauth3.core.js
View File

@ -20,6 +20,11 @@
// http://stackoverflow.com/questions/9677985/uncaught-typeerror-illegal-invocation-in-chrome
return (exports.atob || require('atob'))(base64);
}
, btoa: function (b64) {
// for directive passing in .well-known/oauth3
// http://stackoverflow.com/questions/9677985/uncaught-typeerror-illegal-invocation-in-chrome
return (exports.btoa || require('btoa'))(b64);
}
, decodeUrlSafe: function (b64) {
// URL-safe Base64 to Base64
// https://en.wikipedia.org/wiki/Base64
@ -30,6 +35,13 @@
b64 = b64.replace(/-/g, '+').replace(/_/g, '/');
return OAUTH3._base64.atob(b64);
}
, encodeUrlSafe: function (b64) {
// for directive passing in .well-known/oauth3
// Base64 to URL-safe Base64
b64 = b64.replace(/\+/g, '-').replace(/\//g, '_');
b64 = b64.replace(/=+/g, '');
return OAUTH3._base64.btoa(b64);
}
}
, uri: {
normalize: function (uri) {
@ -73,7 +85,38 @@
}
}
, query: {
stringify: function (params) {
parse: function (search) {
// needed for .well-known/oauth3
// parse a query or a hash
if (-1 !== ['#', '?'].indexOf(search[0])) {
search = search.substring(1);
}
// Solve for case of search within hash
// example: #/authorization_dialog/?state=...&redirect_uri=...
var queryIndex = search.indexOf('?');
if (-1 !== queryIndex) {
search = search.substr(queryIndex + 1);
}
var args = search.split('&');
var argsParsed = {};
var i, arg, kvp, key, value;
for (i = 0; i < args.length; i += 1) {
arg = args[i];
if (-1 === arg.indexOf('=')) {
argsParsed[decodeURIComponent(arg).trim()] = true;
}
else {
kvp = arg.split('=');
key = decodeURIComponent(kvp[0]).trim();
value = decodeURIComponent(kvp[1]).trim();
argsParsed[key] = value;
}
}
return argsParsed;
}
, stringify: function (params) {
var qs = [];
Object.keys(params).forEach(function (key) {
@ -522,8 +565,6 @@
return OAUTH3._requestHelper(preq, opts);
}
OAUTH3.url.resolve(preq.providerUri || preq.provider_uri || preq.directives && preq.directives.issuer, preq.url);
if (!preq.session) {
return fetch();
}
@ -757,7 +798,7 @@
, status: xhr.status
});
};
xhr.open(preq.method, preq.url, true);
xhr.open(preq.method || 'GET', preq.url, true);
var headers = preq.headers || {};
Object.keys(headers).forEach(function (key) {
xhr.setRequestHeader(key, headers[key]);
@ -989,9 +1030,12 @@
, request: function (preq) {
preq.client_uri = this._clientUri;
preq.client_id = this._clientUri;
preq.method = preq.method || 'GET';
if (this._session) {
preq.session = preq.session || OAUTH3.hooks.session._getCached(this._providerUri);
}
// TODO maybe use a baseUrl from the directives file?
preq.url = OAUTH3.url.resolve(this._providerUri, preq.url);
return OAUTH3.request(preq);
}
, logout: function (opts) {

69
well-known/oauth3/callback.html
View File

@ -16,6 +16,73 @@
<!-- TODO permanently cache with appcache (or service worker?) -->
<!-- TODO slim this all down to a single file -->
<script src="/assets/org.oauth3/oauth3.core.js"></script>
<script src="callback.js"></script>
<script>
;(function () {
'use strict';
var loc = window.location;
var loginWinObj = window.OAUTH3.query.parse(loc.hash || loc.search);
var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/callback.html]";
if (loginWinObj.debug) {
console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
}
// '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
// TODO finalize name of '--oauth3-callback-', this will be a defacto standard
// TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?
var callbackName = '--oauth3-callback-' + loginWinObj.state;
console.log(prefix, loc.href);
console.log(prefix, 'Parsed URL Obj:', loginWinObj);
console.log(prefix, 'callbackName:', callbackName);
window.oauth3complete = function () {
// The hacks that used to be necessary for this on iOS should no longer be necessary in iOS 9+
// see https://bugs.chromium.org/p/chromium/issues/detail?id=136610 and https://crbug.com/423444
// TODO Should we still create an abstraction for older versions?
if (window.parent) {
// iframe
try {
window.parent[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
if (window.opener) {
try {
window.opener[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
console.error("neither window.parent nor window.opener existed to complete callback");
/*
// the caller should close (or signal to close) the window
try {
window.close();
} catch (err) {
console.log('Error: ', err);
}
*/
};
if (!loginWinObj.debug) {
window.oauth3complete();
}
else {
document.body.innerHTML = window.location.hostname + window.location.pathname
+ '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
+ ' to let you look at logs or whatever it is that you intended to do.'
+ '<br/><br/>Continue with callback: <a href="javascript:window.oauth3complete()">javascript:window.oauth3complete()</' + 'a>';
return;
}
}());
</script>
</body>
</html>

66
well-known/oauth3/callback.js
View File

@ -1,66 +0,0 @@
;(function () {
'use strict';
var loc = window.location;
var loginWinObj = window.OAUTH3.query.parse(loc.hash || loc.search);
var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/callback.html]";
if (loginWinObj.debug) {
console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
}
// '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
// TODO finalize name of '--oauth3-callback-', this will be a defacto standard
// TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?
var callbackName = '--oauth3-callback-' + loginWinObj.state;
console.log(prefix, loc.href);
console.log(prefix, 'Parsed URL Obj:', loginWinObj);
console.log(prefix, 'callbackName:', callbackName);
window.oauth3complete = function () {
// The hacks that used to be necessary for this on iOS should no longer be necessary in iOS 9+
// see https://bugs.chromium.org/p/chromium/issues/detail?id=136610 and https://crbug.com/423444
// TODO Should we still create an abstraction for older versions?
if (window.parent) {
// iframe
try {
window.parent[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
if (window.opener) {
try {
window.opener[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
console.error("neither window.parent nor window.opener existed to complete callback");
/*
// the caller should close (or signal to close) the window
try {
window.close();
} catch (err) {
console.log('Error: ', err);
}
*/
};
if (!loginWinObj.debug) {
window.oauth3complete();
}
else {
document.body.innerHTML = window.location.hostname + window.location.pathname
+ '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
+ ' to let you look at logs or whatever it is that you intended to do.'
+ '<br/><br/>Continue with callback: <a href="javascript:window.oauth3complete()">javascript:window.oauth3complete()</' + 'a>';
return;
}
}());

15
well-known/oauth3/index.html
View File

@ -10,14 +10,16 @@
<body>
OAuth3 RPC
<script src="/assets/com.jquery/jquery-3.1.1.js"></script>
<script src="/assets/org.oauth3/oauth3.core.js"></script>
<script>
;(function () {
'use strict';
// Taken from oauth3.core.js
// TODO what about search within hash?
var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/]";
var params = OAUTH3_CORE.queryparse(window.location.hash || window.location.search);
var params = OAUTH3.query.parse(window.location.hash || window.location.search);
if (params.debug) {
console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
}
@ -28,9 +30,8 @@
console.log(prefix, 'params:');
console.log(params);
$.ajax({ url: 'directives.json' }).then(function (resp) {
var b64 = btoa(JSON.stringify(resp, null, 0))
var urlsafe64 = OAUTH3_CORE.utils.base64ToUrlSafeBase64(b64);
OAUTH3.request({ url: 'directives.json' }).then(function (resp) {
var urlsafe64 = OAUTH3._base64.encodeUrlSafe(JSON.stringify(resp, null, 0));
var redirect;
console.log(prefix, 'directives');
@ -45,7 +46,7 @@
// TODO make sure it's https NOT http
// NOTE: this can be only up to 2,083 characters
console.log(prefix, 'params.redirect_uri:', params.redirect_uri);
redirect = params.redirect_uri + '?' + OAUTH3_CORE.querystringify({
redirect = params.redirect_uri + '?' + OAUTH3.query.stringify({
state: params.state
, directives: urlsafe64
, debug: params.debug || undefined
@ -63,6 +64,8 @@
+ '<br/><br/>Continue with redirect: <a href="' + redirect + '">' + redirect + '</' + 'a>';
}
});
}());
</script>
</body>
</html>